FaceTime for Mac security hole easily remedied
Macworld Germany has described what they're calling a security hole in the FaceTime for Mac beta (Google translation). The gist is this: once a user has logged into FaceTime for the Mac, his/her Apple ID and password can be altered from the app by anyone with access to the computer while FaceTime is running.Let that sink in for a second.
If you were to log into FaceTime for Mac and then abandon your computer with everything running and no concern for who has access to it and for how long, there's a possibility that a n'er-do-well could sit down in your empty but still warm chair and engage in a scandulous conversation with your poor Aunt Shirley (who undoubtedly is wondering why you'd be dumb enough to walk away from your operational Mac in public) before changing your password and making several pricey purchases in iTunes.
In related security news, cash registers left unattended with their drawers open are likely to be robbed and cars left running with the doors unlocked are likey to be stolen. As Ars notes, "...whoever happens to be sitting at the computer can change the associated account password."
In the interest of our readers' safety, here are a few steps we suggest you take:
- Don't go to the bathroom while FaceTime is running on your Mac at Starbucks. Hell, don't leave your Mac on a table at Starbucks no matter what it's doing.
- Don't run FaceTime on a public computer.
- If the "office prankster" asks to use your FaceTime account to make a call, SAY NO.
- Think. Physical access is total access.
Share
Categories
Macworld Germany has described what they're calling a security hole in the FaceTime for Mac beta (Google translation). The gist is this:...
Add a Comment
This seems to have been taken care of already.
Whenever I press account and then show account it just goes back to the "account" screen in settings where I can add e-mail addresses.
Someone else with access to my computer? Facetime and my iTunes account is the least of my worries.
October 21 2010 at 4:06 PM Report abuse Permalink rate up rate down ReplyThat being said, they should still fix it. A layered defense is best.
October 21 2010 at 3:06 PM Report abuse Permalink rate up rate down ReplyBut anyway, this IS a major security hole. Any password change MUST ask for the previous password as confirmation.
Beta or not, it's a huge problem.
I'm unable to reproduce this... whenever I click on "See account", it opens the Account window, but it's completely blank, and then goes back to the previous menu...
October 21 2010 at 2:00 PM Report abuse Permalink rate up rate down ReplyIf you are in Italy, well....
1. don't worry there is no Starbucks..
2. If there were Starbucks, with free internet connection, the place would be rammed with people trying to steal the connection and there would be no free seats, so no risk for your e-credentials.
3. If you were lucky enough to find a seat and Facetime someone oversea, and you suddenly had the need to go empty your blatter (or worse) and you left your laptop, open at the table, then... I am sorry.... but you deserve to "loose" your credentials...
4. If you are lucky enough, you won't need your Apple credentials anymore. Because you laptop would have a brand new owner :-)
5. I am Italian and I am allowed to make jokes on my country. If you try to be sarchastic on this, I will send my friends to you with "an offer you can't refuse..."
Cash register drawers can be closed, and car doors locked. In fact, that is the default state of those objects when operated by anyone not suffering from debilitating memory or cognitive impairment. FaceTime for Mac, at least until this security hole is closed, doesn't share that benefit.
October 21 2010 at 1:40 PM Report abuse Permalink rate up rate down ReplyActually by your own admission to what the writer said, computers can be locked. Or logged out of. So FaceTime has the same benefit as cash in a drawer or radios in cars.
October 21 2010 at 4:01 PM Report abuse Permalink rate up rate down ReplyI can see both sides. I mean, duh, if you are computing in an untrustworthy environment, you shouldn't leave your computer unlocked, period, let alone worry about what app might be running. I lock my computer every time I leave my desk at work, and this is at a government office with highly vetted employees.
Best advice so far is to not associate your FaceTime ID with your iTunes ID, though you would think this to be logical, and the intent.
Still, I'm sure this oversight will be corrected shortly.
Thanks for the laugh. I actually laughed out loud to the surprise of a couple of co-workers passing by.
October 21 2010 at 1:34 PM Report abuse Permalink rate up rate down ReplySeems like you're being a little protective of Apple here, TUAW! Truth be told, this is quite a security hole. It's fair enough to say that physical access is total access, yes, access to the computer and it's data.
But ordinarily, data not on the computer (files on your iDisk, card details in your iTunes account settings) does not apply to this rule.
Hot Apps on TUAW
Deals of the Day
more deals- Used Apple iPhone 3G 8GB for AT&T for $108 + $5 s&h
- Apple Mac Pro Xeon 6-Core 3.3GHz Desktop w/ 12GB RAM for $3,899 + $28 s&h
- Apple MacBook Pro Core i7 Quad 2.2GHz 15" SSD Laptop for $2,447 + $13 s&h
- Apple Earphones with Remote and Mic for $6 + $2 s&h
- PC Micro Store sale: Up to 50 off
- USB MP3 Player FM Transmitter with remote for $6 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3
Featured Stories
more stories
Popular Stories
TUAW (or The Unofficial Apple Weblog) is a website devoted to tips, reviews, news, analysis and opinion on everything Apple.
21 Comments